Title: [228696] trunk
- Revision
- 228696
- Author
- dba...@webkit.org
- Date
- 2018-02-19 10:34:07 -0800 (Mon, 19 Feb 2018)
Log Message
Null pointer dereference in WebPageProxy::urlSchemeHandlerForScheme()
https://bugs.webkit.org/show_bug.cgi?id=182905
Reviewed by Alex Christensen.
Return nullptr when querying for the scheme handler of the null string.
Before a navigation is performed WebKit checks if the destination URL is associated with an app
unless the embedding client overrides the WKNavigationDelegate delegate callback -webView:decidePolicyForNavigationAction:decisionHandler.
If the URL is not associated with an app then WebKit may fall back to checking if the embedding
client registered a scheme handler for it. Currently we assume that the scheme is a non-null
string when checking the scheme handler registry. However the scheme can be a null string if
it is part of a malformed URL. And this leads to bad news bears when we try to use it to look
for a scheme handler. Instead check that the scheme is a non-null string before checking to see
if it is in the scheme handler registry.
* UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::urlSchemeHandlerForScheme):
Modified Paths
Diff
Modified: trunk/Source/WebKit/ChangeLog (228695 => 228696)
--- trunk/Source/WebKit/ChangeLog 2018-02-19 18:18:57 UTC (rev 228695)
+++ trunk/Source/WebKit/ChangeLog 2018-02-19 18:34:07 UTC (rev 228696)
@@ -1,3 +1,24 @@
+2018-02-19 Daniel Bates <daba...@apple.com>
+
+ Null pointer dereference in WebPageProxy::urlSchemeHandlerForScheme()
+ https://bugs.webkit.org/show_bug.cgi?id=182905
+
+ Reviewed by Alex Christensen.
+
+ Return nullptr when querying for the scheme handler of the null string.
+
+ Before a navigation is performed WebKit checks if the destination URL is associated with an app
+ unless the embedding client overrides the WKNavigationDelegate delegate callback -webView:decidePolicyForNavigationAction:decisionHandler.
+ If the URL is not associated with an app then WebKit may fall back to checking if the embedding
+ client registered a scheme handler for it. Currently we assume that the scheme is a non-null
+ string when checking the scheme handler registry. However the scheme can be a null string if
+ it is part of a malformed URL. And this leads to bad news bears when we try to use it to look
+ for a scheme handler. Instead check that the scheme is a non-null string before checking to see
+ if it is in the scheme handler registry.
+
+ * UIProcess/WebPageProxy.cpp:
+ (WebKit::WebPageProxy::urlSchemeHandlerForScheme):
+
2018-02-19 Ms2ger <ms2...@igalia.com>
Explicitly qualify some method calls on this in lamdas in Service Worker code.
Modified: trunk/Source/WebKit/UIProcess/WebPageProxy.cpp (228695 => 228696)
--- trunk/Source/WebKit/UIProcess/WebPageProxy.cpp 2018-02-19 18:18:57 UTC (rev 228695)
+++ trunk/Source/WebKit/UIProcess/WebPageProxy.cpp 2018-02-19 18:34:07 UTC (rev 228696)
@@ -7199,7 +7199,7 @@
WebURLSchemeHandler* WebPageProxy::urlSchemeHandlerForScheme(const String& scheme)
{
- return m_urlSchemeHandlersByScheme.get(scheme);
+ return scheme.isNull() ? nullptr : m_urlSchemeHandlersByScheme.get(scheme);
}
void WebPageProxy::startURLSchemeTask(URLSchemeTaskParameters&& parameters)
Modified: trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/DecidePolicyForNavigationAction.mm (228695 => 228696)
--- trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/DecidePolicyForNavigationAction.mm 2018-02-19 18:18:57 UTC (rev 228695)
+++ trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/DecidePolicyForNavigationAction.mm 2018-02-19 18:34:07 UTC (rev 228696)
@@ -561,6 +561,29 @@
TestWebKitAPI::Util::run(&done);
}
+@interface DecidePolicyForNavigationActionForMalformedURLDelegate : NSObject <WKNavigationDelegate>
+@end
+
+@implementation DecidePolicyForNavigationActionForMalformedURLDelegate
+
+- (void)webView:(WKWebView *)webView didFinishNavigation:(WKNavigation *)navigation
+{
+ finishedNavigation = true;
+}
+
+@end
+
+TEST(WebKit, DecidePolicyForNavigationActionForMalformedURL)
+{
+ auto webView = adoptNS([[WKWebView alloc] init]);
+ auto controller = adoptNS([[DecidePolicyForNavigationActionForMalformedURLDelegate alloc] init]);
+ [webView setNavigationDelegate:controller.get()];
+
+ finishedNavigation = false;
+ [webView loadRequest:[NSURLRequest requestWithURL:[NSURL URLWithString:@"N"]]];
+ TestWebKitAPI::Util::run(&finishedNavigation);
+}
+
#endif
#endif
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes